### Key Information - **Vulnerability Title**: Uncontrolled search path leads to unauthorized code execution on Windows - **Publisher**: krassowski - **CVE ID**: CVE-2025-53000 - **Severity**: High (7.0 / 10) - **Affected Versions**: <=7.16.6 - **Fixed Version**: 7.17.0 - **CVE Description**: - On Windows, converting a notebook containing SVG output to PDF may lead to unauthorized code execution. Specifically, a third party could create an `inkscape.bat` file defining a Windows batch script capable of executing arbitrary code. - When a user runs the command `jupyter nbconvert --to pdf` to convert a notebook containing SVG output to PDF, if `inkscape.bat` exists in the same directory, the batch script will be inadvertently executed. - **Vulnerability Details**: - `nbconvert` searches for the `inkscape` executable in specific paths when converting notebooks to PDF. - The root cause of this vulnerability is that `LoadLibrary` or `LoadLibraryEx` functions are called without fully qualified path names. These functions follow a specific search order, which may include uncontrolled path elements such as the directory from which the program was loaded and the current working directory. - **PoC (Proof of Concept)**: - Create a directory containing a specific batch file and a test `.ipynb` file. - Run a specific Jupyter command to perform the conversion. - A pop-up window with a specific message should appear, indicating that the system has been compromised. - **Impact**: All Windows users. - **CVE Related**: - CWE: CWE-427 (Uncontrolled Search Path Element)